Enable https access to private git repositories
authorTom Hughes <tom@compton.nu>
Thu, 21 Jun 2018 21:43:58 +0000 (22:43 +0100)
committerTom Hughes <tom@compton.nu>
Thu, 21 Jun 2018 21:43:58 +0000 (22:43 +0100)
cookbooks/chef/recipes/server.rb
cookbooks/chef/templates/default/apache.erb

index 12c4384..9581b1a 100644 (file)
@@ -84,6 +84,10 @@ service "chef-server" do
   subscribes :restart, "systemd_service[chef-server]"
 end
 
+git_allowed = search(:node, node[:git][:allowed_nodes]).collect do |n|
+  n.ipaddresses(:role => :external)
+end.flatten
+
 apache_module "alias"
 apache_module "proxy_http"
 
@@ -95,6 +99,7 @@ end
 
 apache_site "chef.openstreetmap.org" do
   template "apache.erb"
+  variables :git_allowed => git_allowed
 end
 
 template "/etc/cron.daily/chef-server-backup" do
index 88684b8..4f57bba 100644 (file)
        CustomLog /var/log/apache2/chef.openstreetmap.org-access.log combined
        ErrorLog /var/log/apache2/chef.openstreetmap.org-error.log
 
+       DocumentRoot /var/lib/git
+
        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile /etc/ssl/certs/chef.openstreetmap.org.pem
        SSLCertificateKeyFile /etc/ssl/private/chef.openstreetmap.org.key
 
+       ProxyPassMatch ^/.*\.git/ !
        ProxyPass / https://<%= node[:fqdn] %>:4443/
        ProxyPreserveHost on
 </VirtualHost>
+
+<Directory /var/lib/git>
+       Require ip <%= @git_allowed.sort.join(" ") %>
+</Directory>